!injectdll – a WinDbg extension for DLL injection

Sebastian Solnica

Today I have a pleasure to present you my first WinDbg extension lld 🙂 For now it contains only one command: !injectdll, which allows you to inject a DLL into the process being debugged. There is a similar command in the sdbgext extension, but it works only for 32-bit processes. The usage is extremly simple – just remember to load the extension in the correct bitness (32-bit version for 32-bit processes). Example session may look as follows:

0:000> .load lld
0:000> !injectdll c:\temp\Test.exe
ModLoad: 00000001`3f820000 00000001`3f924000   c:\temp\Test.exe
ModLoad: 000007fe`fd960000 000007fe`fd98e000   C:\Windows\system32\IMM32.DLL
ModLoad: 000007fe`ff410000 000007fe`ff519000   C:\Windows\system32\MSCTF.dll
(bac.5a0): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00000000`778c7800 cc              int     3

The binaries can be found under the release tab of the source code repository.

How it works

The logic behind this extension is quite simple and relies on the thread hijacking mechanism. I start the injection process by incrementing the suspend count for all the process threads except the current one. Then, I allocate a block of memory in the target process for storing the DLL name and the payload. I save the current thread context to a local variable and change the value of the registers required by the payload. Finally I resume the current thread which executes the payload and breaks back into the debugger, where I can decrement the suspend count of all the other threads and restore the hijacked thread context.

The payload is just four bytes long for 32bit and three bytes long for 64bit:

; x64
0x00000000 call rax
0x00000002 int3

; x86
0x00000000 push ecx
0x00000001 call eax
0x00000003 int3

I set the eax/rax registry to the address of the LoadLibraryA and the ecx/rcx registry to the address of the DLL name. As you can see, after the call the thread executes the breakpoint instruction (int3) and thus gets back to the debugger.

Final thoughts

I know the !injectdll command is probably not the most useful one, but in the next post I will show you an interesting way we could profit from it. So stay tuned 🙂

4 thoughts on “!injectdll – a WinDbg extension for DLL injection

    • Sebastian Solnica June 24, 2016 / 08:20

      Hahaha – yes, I will start by silently installing WinDbg on my victims’ systems 🙂

      Reply
  2. Ondrej Valenta June 24, 2016 / 13:05

    Yet again I envy you that you understand internal processes of Windows so much that you can do such extensions. I have to learn somewhere how these eax, ecx and so on..

    Reply
  3. Pingback: !injectdll – a remote thread approach – Low Level Design

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.